I've had a few of my Facebook fans tell me that when they click on links to my site that their virus checker is giving them a trojan warning.

A few months ago I found someone had planted malicious code in my header and changed my .htaccess. I'm certain I've cleaned it all.

I have a couple of theories:

1. It's possible that during the 12 hours or so that the virus was there previously, my site got picked up by virus checking companies and is on a list as suspicious. If so, how do I get off of a list?

2. Perhaps another site on my shared hosting plan has a virus and as such my ip is flagged as suspicious? If this is the case, this should be cleared up shortly as I am migrating to a new host soon.

3. Perhaps there still is a virus present. Is there any way I can check for one?

I really think that the people who are getting warnings have not updated their virus definitions. An article of mine was just posted on a major veterinary board and someone commented saying, "Don't click! Avast says the site has a Trojan!" The next person responded saying they had Avast 2012 and got no warning.

I think you're right or at least somewhat on the right track. It's bound to be some residual effect from the previous problem. I don't know what the solution is. I guess I'd probably try to find out if there is a blacklist out there that the site is on, but I don't know how to find it.

Oh I definitely won't tackle that. My best buddy Michael cleans sites for a living, so I know how complex it can be to make sure everything gets uncovered. I'd not want to miss anything. He does, however, list some sql statements you can run in his cleaning post - http://smackdown.blo...s-installation/ So you might want to run those first.

I contacted my host and they were able to see and remove the malicious code.

If you are interested, here is what happened. There was a file called footer.php that was inserted in a directory. The directory was one that is used to host files that do calculations for a tool that I created. There should not have been a footer.php in that directory. Here is the file:

I'm guessing that what it does is hide the badness from bots. (Which is likely why my WMT didn't give me a warning.) Then, I'm guessing that what it does is show ads to the user rather than having them see my ads. Sneaky.

My host figures that when I was hacked a few months ago there was an open door that allowed the hackers to plant this code. They said it's also possible that I got infected by accessing my cpanel from an infected PC. Interestingly enough, one of our computers was severely virus infested this week. The computer tech said it was the worst they had seen and it took them 3 days to get the thing off. Who knows if the virus came from my site or if this virus actually infected my site.

I am suspicious that this started shortly after I installed my forum (which is now gone). But I guess I'll never know.

As an interesting twist, the nasty footer.php file keeps repopulating itself. For now I have deleted it and created a new blank file called footer.php in the hopes that it will stop the virus from creating a new file. I'm waiting to see what my host says.

See, that's why I don't clean sites and don't recommend people do it themselves. A back door was left open and it will keep getting reinfected over and over and over again until all avenues are closed. I've paid attention to the many times that Michael has cleaned sites and the work involved is pretty intense, to make sure nothing is missed.

If you're not supposed to have a footer.php file then there should be relatively few references to it in your library of PHP files. If you are using a Linux-based server and IF you can telnet to it and IF you know how to do that, you can probably find the script that is still corrupted by using a command line query similar to this:

grep -r 'footer.php' * > ./footer-report.txt

That would put all its results into the text file "footer-report.txt", which you could download and browse casually. Knowing where the corrupted script is would point you to which theme/plugin directory should be re-installed (or de-installed).

If you try this, be sure to check again after you re-install anything to make sure you're not just installing a corrupted package.

My host has found some more corrupted files...all of these are from my wordpress blogs. I feel like a dolt because I changed all of my main passwords but didn't change my wp admin passwords. This is likely part of the problem.

The host says they are going to do a manual audit of the site to see if they can pick up any more bad stuff.

Please don't assume it's just a password. Yes, you should change those too, but I'm tellin ya...I can't stress this enough...they have numerous ways of injecting backdoors all over the place, and if you get your head set on it being "this one thing", then you're gonna miss the other ten things.

j/k. My host change should take place this weekend....it has taken me AGES to get my files ready.

Here's a tip for anyone self programming a static site that uses databases...use a config file and variables for your host, username, password and database name. That way if you change hosts you just have to change the config file and not every single page on your website!

Marie, if it happens again, please, I beg you...have someone who does this thing for a living fix it. Otherwise, you're just going to keep going through this over and over and over and...well...kinda like what's already been happening. Y'all are just putting bandaids on it so far. It's not working. It's time to get real help. I think you should contact my friend Michael, but the other place you were thinking of is probably good too. Pick someone though - not the host - obviously that's not working. Just my opinion...

Thanks Donna...that is definitely the plan. The tech that I talked to at my hosting company did feel confident that he had removed all of the bad files. But, I am not naive and do understand that these viruses are nasty nasty things and very clever. If it comes back again I will definitely hire a professional.

So, I DON'T deal with these things for a living but I have read that some of these things can live in your database (which is why I earlier said I would just delete everything and restore from a corrupted backup). If that is the case, you probably need to contact Donna's friend or someone who knows ALL the nooks and crannies where these things can hide.

BTW -- have you checked your personal/work computers for infections? I haven't heard of any desktop-to-server infections but you never know. I use Trend Micro's House Call when I'm not sure if a computer's anti-virus software can be trusted. You can download House Call from the Web for free each time you want to use it.

Gumblar was a desktop to sever infection - it sniffed out FTP details then sent the detail back somewhere for people to use to infect servers. No idea how exactly it worked, but that it what happened to a friends site. Luckily it was not that clever and altered files had a date stamp. It did change a lot of strange files, usually in temp folders, log reports etc. as well as planting things like image.php in image directories - you do not see it as a strange file to start with.

After a week of being clean the darn thing came back again. I signed up for sucuri.net's $90 plan where for one year they check your site every 6 hours for malware and fix anything they find.

Within 10 minutes they had found the answer. The malware kept coming in via an outdated timthumb.php file. If you do a search for timthumb, you'll see that it's actually a well known vulnerability that gives bad guys a door to keep accessing your site.

Here's the weird thing though...I couldn't find a timthumb plugin in either of my 2 WP blogs. All of my plugins were up to date and so were my themes so I was stumped.

When I found it, I was shocked! The file was in a folder of an UNUSED theme that I had. I had a bunch of themes that I had downloaded to try when I first created my site. The files were all still there and of course they had never been updated. The nastiness came in via a free theme that I had downloaded a couple of years ago.

btw...if anyone reading this has issues with timthumb.php attacks, you can either upgrade your theme, or if that is not possible, here is a good page to explain what to do: http://www.gabfireth...-vulnerability/

I've got full-time monitoring on all sites on my server now. I use Locker from Code Garage. They've caught a few since the initial attacks on sites I wasn't even paying them to look after - so I'm highly thankful to Peter and his team.

It's always best to be proactive with these sorts of things, but most people (myself included, of course) are reactive, waiting only until it happens to do anything about it.

I wanted to update this thread just in case it helps others who are going through this type of issue.

Sucuri.net worked really hard on the problem, but unfortunately it kept coming back. Their automated software kept sending me an email to say I was infected, and then I would have them take a look and each time they thought they found the answer, but it would come back again.

On the advice of Donna, I hired Michael VanDerMar to have a look. (He has given me permission to tell you guys about his work. You can contact him here if any of you ever need malware help: http://smackdown.blo...chael-vandemar/)

At first Michael had the site cleaned very quickly. But, the next day Sucuri was sending me warnings again. From Michael's side, things looked clear. I started to wonder if Sucuri's tool was buggy. But, I had a few Facebook fans complain that Avast was warning them of a virus on my site.

Sucuri suggested that the virus could be what was called conditional malware. Some of the malwares these days are configured to only display once per IP. Or, they can only appear at certain hours of the day.

I gave Michael this information and he found out that the malware was configured to only appear for users with internet explorer. Even though the virus was mostly affecting my wordpress blog, it had set up a folder outside of wordpress that it used to continually repopulate random pages of my site with malicious code.

It's been several days now and the site seems to be clear.

Why on earth do people write these nasty things?

I highly recommend Michael to anyone having malware issues. This stuff is brutal!!!